I spent a bit of time on this trying to get Volatility 2 to work with the Mimikatz plug-in. I was not successful. I was able to run the Volatility hashdump module.
I switched to Volatility3 and ran hashdump. For whatever reason the output of Volatility3 was different.
The only user besides the default accounts is for ‘Congo.’ Copy the hashed password and head over to https://hashes.com/en/decrypt/hash where we can search for the hash.
Yay, we got a match.
[Note: anecdotally I was advised that you could do this offline as well with Hashcat and the rockyou wordlist. I had tried that earlier but was using the Volatility2 output. 😦 ]
The last step is to convert ‘goldfish#’ to MD5.
Now just wrap it in the flag { } and you’re good to go.
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
This was a change of pace from what a lot of the CTF has been; lots of malware and deobfuscation. In this challenge we’re tasked with figuring out which faces are real and which have been AI generated.
Before starting the challenge, I familiarized myself with
It gave me good ideas of things to look for regarding teeth, glasses, earrings, other faces in photos, etc.
Eventually, I was able to get 5 right in a row.
Operation Eradication
Let’s take a look at the configuration file.
This looks like a config file for rclone.
Using this information, and the url provided from the challenge, we can update our rclone config file.
Now using rclone we can connect to the remote location and hopefully start deleting these ‘sensitive’ files. If only it were so easy.
I was able to get a directory listing, so I knew that my credentials were successfully connecting.
I was all over the command options at https://rclone.org. Every DELETE or SYNC operation I could think of was failing.
At my wit’s end I pinged a friend who suggested trying to overwrite the files with a 0 bit file. If successful the files would still be there, but the content gone – so essentially, they’d be safe again.
Using the file listing from the server, I wrote a PowerShell script that would touch, or create a 0 byte file, locally for each file names.
Next the script would run the rclone copy command to copy the local 0 byte files to the network location.
I run the PowerShell script and then return to the webpage and refresh…
DOH! There was a typo in one line of the script. I’ll re-run the file listing command again. All but one file have the 0 byte file size.
Run the copy command one more time to take care of our errant file and…
Success!
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
If you open the log with Event Viewer, you may see there’s an entry for a (non-actual) event ID of 1337.
The error content isn’t very helpful.
Let’s take a hint from the title and run the event log through Chainsaw.
Nothing significant when using the stock rules. What if we poke specifically at Event ID 1337.
That looks interesting.
Copy the binary data and bring it over to CyberChef
From unintelligible binary to unintelligible PowerShell.
Copy the output and save it is a .ps1 file. We can run the script through PowerDecode.
PowerCode works down through the obfuscation layers, finally revealing the plain text of the command.
Now that the code has been deobfuscated, time to figure out what it does. I copied the code into PowerShell ISE and start isolating the different command sections.
One of the commands does a DNS lookup and directs the output into a string.
If we run the command on its own we can see the output. The last part of the script checks to see if the output matches the pattern of a Base64 encoded string, and if so, decodes it.
Now what was that about Tokyo?
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
This is a multipart challenge. All the flags can be found within the live Microsoft 365 instance that we’ll ssh into.
The clue is street address. I’m not too fluent in the capabilities of AADInternals, so the first thing I do is head over to the documentation.
If I do a search on ‘street’ I see that it’s part of an Output example for Get-AADintTenantDetails
Ok, let’s give that command a go.
And there’s the flag under the street value.
For the next one, It not so subtly says that Conditional Access Policies will be part of this, so again we reference the docs. Get-AADIntConditionalAccessPolicies seems like a good candidate.
Two for two.
Microsoft Teams will be our focus on the third one. There’s dozens of Teams commands available within AADInternals. If we focus on message, that will get us to Get-AADIntTeamsMessages.
Having the documentation for the syntax really helped on this one.
And for the last one, no there isn’t a Get-AADIntPresident command. That would be too easy. How about a command that will show us all the users?
Scrolling up through the output, we find that the President (PattiF), has a flag in the telephone number field.
4 out of 4.
Use the tag #HuntressCTF on BakerStreetForensics.com to see all related posts and solutions for the 2023 Huntress CTF.
Baker Street Forensics 